ASB AUG 2025 Security Patches integration

aosp_diff/preliminary/build/release/0001-Update-RELEASE_PLATFORM_SECURITY_PATCH-string.patch

@@ -20,7 +20,7 @@ index 4075b588..985e7b01 100644
  name: "RELEASE_PLATFORM_SECURITY_PATCH"
  value: {
 -  string_value: "2025-03-05"
-+  string_value: "2025-06-01"
++  string_value: "2025-08-01"
  }
 -- 
 2.34.1

aosp_diff/preliminary/frameworks/base/0018-RemoteViews-Always-load-new-ApplicationInfo-from-Pac.patch

@@ -0,0 +1,78 @@
+From ab7f9ce2684be11aa23b6e2bf4b6777f5190a557 Mon Sep 17 00:00:00 2001
+From: Zak Cohen <zakcohen@google.com>
+Date: Fri, 17 Jan 2025 15:16:13 -0800
+Subject: [PATCH] RemoteViews - Always load new ApplicationInfo from
+ PackageManager.
+
+Always load ApplicationInfo object needed for RemoteViews Contexts directly
+from PackageManager. The key used is the package name.
+
+Previously this object was read from the RemoteViews bundle, which was
+provided by the Widget providing app, and this object could not be relied
+on to have accurate data fields.
+
+Bug: 376028556
+Flag: EXEMPT Security Fix
+Test: atest CtsWidgetTestCases:RemoteViewsActivityTest#testApplicationInfo
+Change-Id: Ie263b51fd2c2bdbf9d622533bb3f77d9f3f7181e
+(cherry picked from commit 352fb4821076f0209ab2092d53444503dcec8992)
+Merged-In: Ie263b51fd2c2bdbf9d622533bb3f77d9f3f7181e
+---
+ core/java/android/appwidget/AppWidgetHostView.java |  4 ----
+ core/java/android/widget/RemoteViews.java          | 11 ++++++++---
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/core/java/android/appwidget/AppWidgetHostView.java b/core/java/android/appwidget/AppWidgetHostView.java
+index df1028e9e04c..b9b5c6a8bbc3 100644
+--- a/core/java/android/appwidget/AppWidgetHostView.java
++++ b/core/java/android/appwidget/AppWidgetHostView.java
+@@ -20,7 +20,6 @@ import android.annotation.NonNull;
+ import android.annotation.Nullable;
+ import android.app.Activity;
+ import android.app.ActivityOptions;
+-import android.app.LoadedApk;
+ import android.compat.annotation.UnsupportedAppUsage;
+ import android.content.ComponentName;
+ import android.content.Context;
+@@ -753,9 +752,6 @@ public class AppWidgetHostView extends FrameLayout implements AppWidgetHost.AppW
+      */
+     protected Context getRemoteContextEnsuringCorrectCachedApkPath() {
+         try {
+-            ApplicationInfo expectedAppInfo = mInfo.providerInfo.applicationInfo;
+-            LoadedApk.checkAndUpdateApkPaths(expectedAppInfo);
+-            // Return if cloned successfully, otherwise default
+             Context newContext = mContext.createApplicationContext(
+                     mInfo.providerInfo.applicationInfo,
+                     Context.CONTEXT_RESTRICTED);
+diff --git a/core/java/android/widget/RemoteViews.java b/core/java/android/widget/RemoteViews.java
+index 9fe3fd6ddc1a..e7fa80f3e11d 100644
+--- a/core/java/android/widget/RemoteViews.java
++++ b/core/java/android/widget/RemoteViews.java
+@@ -44,7 +44,6 @@ import android.app.Activity;
+ import android.app.ActivityOptions;
+ import android.app.ActivityThread;
+ import android.app.Application;
+-import android.app.LoadedApk;
+ import android.app.PendingIntent;
+ import android.app.RemoteInput;
+ import android.appwidget.AppWidgetHostView;
+@@ -8479,8 +8478,14 @@ public class RemoteViews implements Parcelable, Filter {
+                 return context;
+             }
+             try {
+-                LoadedApk.checkAndUpdateApkPaths(mApplication);
+-                Context applicationContext = context.createApplicationContext(mApplication,
++                // Use PackageManager as the source of truth for application information, rather
++                // than the parceled ApplicationInfo provided by the app.
++                ApplicationInfo sanitizedApplication =
++                        context.getPackageManager().getApplicationInfoAsUser(
++                                mApplication.packageName, 0,
++                                UserHandle.getUserId(mApplication.uid));
++                Context applicationContext = context.createApplicationContext(
++                        sanitizedApplication,
+                         Context.CONTEXT_RESTRICTED);
+                 // Get the correct apk paths while maintaining the current context's configuration.
+                 return applicationContext.createConfigurationContext(
+-- 
+2.34.1
+

aosp_diff/preliminary/frameworks/base/0019-Handle-exceptions-from-querying-appinfo-in-RemoteViews-addAppWid.bulletin.patch

@@ -0,0 +1,47 @@
+From 1e9f4e8998cc934699405bbe0779b706cfb43905 Mon Sep 17 00:00:00 2001
+From: Sunny Goyal <sunnygoyal@google.com>
+Date: Thu, 13 Feb 2025 09:49:26 -0800
+Subject: [PATCH] Handle exceptions from querying appinfo in
+ RemoteViews#addAppWidget.
+
+Host process may not have access to the ApplicationInfo directly in some cases
+
+Bug: 395168279
+Change-Id: Ic26d63acea5f227b56d44bc2e417f7b189f0d2f2
+Test: Manual
+Flag: EXEMPT bugfix
+(cherry picked from commit 37bf5823504f2a256f128123393cd149721b87fc)
+---
+ core/java/android/widget/RemoteViews.java | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/core/java/android/widget/RemoteViews.java b/core/java/android/widget/RemoteViews.java
+index 7bf058a3ba1e..c26d9f4c02d7 100644
+--- a/core/java/android/widget/RemoteViews.java
++++ b/core/java/android/widget/RemoteViews.java
+@@ -6553,12 +6553,16 @@ public class RemoteViews implements Parcelable, Filter {
+                 return context;
+             }
+             try {
+-                // Use PackageManager as the source of truth for application information, rather
+-                // than the parceled ApplicationInfo provided by the app.
+-                ApplicationInfo sanitizedApplication =
+-                        context.getPackageManager().getApplicationInfoAsUser(
+-                                mApplication.packageName, 0,
+-                                UserHandle.getUserId(mApplication.uid));
++                ApplicationInfo sanitizedApplication = mApplication;
++                try {
++                    // Use PackageManager as the source of truth for application information, rather
++                    // than the parceled ApplicationInfo provided by the app.
++                    sanitizedApplication = context.getPackageManager().getApplicationInfoAsUser(
++                        mApplication.packageName, 0, UserHandle.getUserId(mApplication.uid));
++                } catch(SecurityException se) {
++                    Log.d(LOG_TAG, "Unable to fetch appInfo for " + mApplication.packageName);
++                }
++
+                 Context applicationContext = context.createApplicationContext(
+                         sanitizedApplication,
+                         Context.CONTEXT_RESTRICTED);
+-- 
+2.50.0.rc0.604.gd4ff7b7c86-goog
+

aosp_diff/preliminary/frameworks/base/0020-Defer-remove-splash-screen-while-device-is-locked.patch

@@ -0,0 +1,172 @@
+From 0f3219b2ffd7a834b96cff0e84a5f3fa97d310da Mon Sep 17 00:00:00 2001
+From: wilsonshih <wilsonshih@google.com>
+Date: Tue, 31 Dec 2024 08:25:26 +0000
+Subject: [PATCH] Defer remove splash screen while device is locked
+
+...and activity does not request showWhenLocked.
+The splash screen won't contains secure information, so it's safe to
+declared as showWhenLocked. But before remove starting window, if the
+activity does not request showWhenLocked and device is locked, try to
+trigger unoccluding animation, and keep app window hide until transition
+animation finish.
+
+Bug: 378088391
+Bug: 383131643
+Test: run simulate app repeatly, verify the app content won't be visible
+during transition animation.
+
+Merged-In: Ia2ddece125521eefb15d67e22ea863dfae6af112
+Change-Id: Ia2ddece125521eefb15d67e22ea863dfae6af112
+---
+ .../com/android/server/wm/ActivityRecord.java | 24 +++++++++++++++++++
+ .../com/android/server/wm/StartingData.java   |  7 ++++++
+ .../com/android/server/wm/Transition.java     |  9 +++++++
+ .../com/android/server/wm/WindowState.java    | 15 ++++++++++++
+ 4 files changed, 55 insertions(+)
+
+diff --git a/services/core/java/com/android/server/wm/ActivityRecord.java b/services/core/java/com/android/server/wm/ActivityRecord.java
+index 3b582924ec96..88d0ad67fb21 100644
+--- a/services/core/java/com/android/server/wm/ActivityRecord.java
++++ b/services/core/java/com/android/server/wm/ActivityRecord.java
+@@ -230,6 +230,7 @@ import static com.android.server.wm.IdentifierProto.USER_ID;
+ import static com.android.server.wm.StartingData.AFTER_TRANSACTION_COPY_TO_CLIENT;
+ import static com.android.server.wm.StartingData.AFTER_TRANSACTION_IDLE;
+ import static com.android.server.wm.StartingData.AFTER_TRANSACTION_REMOVE_DIRECTLY;
++import static com.android.server.wm.StartingData.AFTER_TRANSITION_FINISH;
+ import static com.android.server.wm.SurfaceAnimator.ANIMATION_TYPE_APP_TRANSITION;
+ import static com.android.server.wm.SurfaceAnimator.ANIMATION_TYPE_PREDICT_BACK;
+ import static com.android.server.wm.SurfaceAnimator.ANIMATION_TYPE_WINDOW_ANIMATION;
+@@ -2809,9 +2810,28 @@ final class ActivityRecord extends WindowToken implements WindowManagerService.A
+         attachStartingSurfaceToAssociatedTask();
+     }
+
++    /**
++     * If the device is locked and the app does not request showWhenLocked,
++     * defer removing the starting window until the transition is complete.
++     * This prevents briefly appearing the app context and causing secure concern.
++     */
++    void deferStartingWindowRemovalForKeyguardUnoccluding() {
++        if (mStartingData != null
++                && mStartingData.mRemoveAfterTransaction != AFTER_TRANSITION_FINISH
++                && isKeyguardLocked() && !canShowWhenLockedInner(this) && !isVisibleRequested()
++                && mTransitionController.inTransition(this)) {
++            mStartingData.mRemoveAfterTransaction = AFTER_TRANSITION_FINISH;
++        }
++    }
++
+     void removeStartingWindow() {
+         boolean prevEligibleForLetterboxEducation = isEligibleForLetterboxEducation();
+
++        if (mStartingData != null
++                && mStartingData.mRemoveAfterTransaction == AFTER_TRANSITION_FINISH) {
++            return;
++        }
++
+         if (transferSplashScreenIfNeeded()) {
+             return;
+         }
+@@ -4657,6 +4677,10 @@ final class ActivityRecord extends WindowToken implements WindowManagerService.A
+                     }
+                 }
+
++                if (mStartingData.mRemoveAfterTransaction == AFTER_TRANSITION_FINISH) {
++                    mStartingData.mRemoveAfterTransaction = AFTER_TRANSACTION_IDLE;
++                }
++
+                 ProtoLog.v(WM_DEBUG_ADD_REMOVE,
+                         "Removing starting %s from %s", tStartingWindow, fromActivity);
+                 mTransitionController.collect(tStartingWindow);
+diff --git a/services/core/java/com/android/server/wm/StartingData.java b/services/core/java/com/android/server/wm/StartingData.java
+index 896612d3d27a..282637dede7e 100644
+--- a/services/core/java/com/android/server/wm/StartingData.java
++++ b/services/core/java/com/android/server/wm/StartingData.java
+@@ -31,11 +31,18 @@ public abstract class StartingData {
+     static final int AFTER_TRANSACTION_REMOVE_DIRECTLY = 1;
+     /** Do copy splash screen to client after transaction done. */
+     static final int AFTER_TRANSACTION_COPY_TO_CLIENT = 2;
++    /**
++     * Remove the starting window after transition finish.
++     * Used when activity doesn't request show when locked, so the app window should never show to
++     * the user if device is locked.
++     **/
++    static final int AFTER_TRANSITION_FINISH = 3;
+
+     @IntDef(prefix = { "AFTER_TRANSACTION" }, value = {
+             AFTER_TRANSACTION_IDLE,
+             AFTER_TRANSACTION_REMOVE_DIRECTLY,
+             AFTER_TRANSACTION_COPY_TO_CLIENT,
++            AFTER_TRANSITION_FINISH,
+     })
+     @interface AfterTransaction {}
+
+diff --git a/services/core/java/com/android/server/wm/Transition.java b/services/core/java/com/android/server/wm/Transition.java
+index 1fc609b7d03a..dcced3ddbde7 100644
+--- a/services/core/java/com/android/server/wm/Transition.java
++++ b/services/core/java/com/android/server/wm/Transition.java
+@@ -73,6 +73,8 @@ import static com.android.server.wm.ActivityTaskManagerInternal.APP_TRANSITION_W
+ import static com.android.server.wm.SurfaceAnimator.ANIMATION_TYPE_PREDICT_BACK;
+ import static com.android.server.wm.WindowContainer.AnimationFlags.PARENTS;
+ import static com.android.server.wm.WindowState.BLAST_TIMEOUT_DURATION;
++import static com.android.server.wm.StartingData.AFTER_TRANSACTION_IDLE;
++import static com.android.server.wm.StartingData.AFTER_TRANSITION_FINISH;
+ import static com.android.window.flags.Flags.enableDisplayFocusInShellTransitions;
+
+ import android.annotation.IntDef;
+@@ -1377,6 +1379,13 @@ class Transition implements BLASTSyncEngine.TransactionReadyListener {
+                         enterAutoPip = true;
+                     }
+                 }
++
++                if (ar.mStartingData != null && ar.mStartingData.mRemoveAfterTransaction
++                        == AFTER_TRANSITION_FINISH
++                        && (!ar.isVisible() || !ar.mTransitionController.inTransition(ar))) {
++                    ar.mStartingData.mRemoveAfterTransaction = AFTER_TRANSACTION_IDLE;
++                    ar.removeStartingWindow();
++                }
+                 final ChangeInfo changeInfo = mChanges.get(ar);
+                 // Due to transient-hide, there may be some activities here which weren't in the
+                 // transition.
+diff --git a/services/core/java/com/android/server/wm/WindowState.java b/services/core/java/com/android/server/wm/WindowState.java
+index cebe790bb1b9..3fa1130d86a3 100644
+--- a/services/core/java/com/android/server/wm/WindowState.java
++++ b/services/core/java/com/android/server/wm/WindowState.java
+@@ -126,6 +126,7 @@ import static com.android.server.wm.IdentifierProto.USER_ID;
+ import static com.android.server.wm.MoveAnimationSpecProto.DURATION_MS;
+ import static com.android.server.wm.MoveAnimationSpecProto.FROM;
+ import static com.android.server.wm.MoveAnimationSpecProto.TO;
++import static com.android.server.wm.StartingData.AFTER_TRANSITION_FINISH;
+ import static com.android.server.wm.SurfaceAnimator.ANIMATION_TYPE_ALL;
+ import static com.android.server.wm.SurfaceAnimator.ANIMATION_TYPE_APP_TRANSITION;
+ import static com.android.server.wm.SurfaceAnimator.ANIMATION_TYPE_STARTING_REVEAL;
+@@ -1920,6 +1921,13 @@ class WindowState extends WindowContainer<WindowState> implements WindowManagerP
+         }
+         final ActivityRecord atoken = mActivityRecord;
+         if (atoken != null) {
++            if (atoken.mStartingData != null && mAttrs.type != TYPE_APPLICATION_STARTING
++                    && atoken.mStartingData.mRemoveAfterTransaction
++                    == AFTER_TRANSITION_FINISH) {
++                // Preventing app window from visible during un-occluding animation playing due to
++                // alpha blending.
++                return false;
++            }
+             final boolean isVisible = isStartingWindowAssociatedToTask()
+                     ? mStartingData.mAssociatedTask.isVisible() : atoken.isVisible();
+             return ((!isParentWindowHidden() && isVisible)
+@@ -2925,7 +2933,14 @@ class WindowState extends WindowContainer<WindowState> implements WindowManagerP
+             final int mask = FLAG_SHOW_WHEN_LOCKED | FLAG_DISMISS_KEYGUARD
+                     | FLAG_ALLOW_LOCK_WHILE_SCREEN_ON;
+             WindowManager.LayoutParams sa = mActivityRecord.mStartingWindow.mAttrs;
++            final boolean wasShowWhenLocked = (sa.flags & FLAG_SHOW_WHEN_LOCKED) != 0;
++            final boolean removeShowWhenLocked = (mAttrs.flags & FLAG_SHOW_WHEN_LOCKED) == 0;
+             sa.flags = (sa.flags & ~mask) | (mAttrs.flags & mask);
++            if (wasShowWhenLocked && removeShowWhenLocked) {
++                // Trigger unoccluding animation if needed.
++                mActivityRecord.checkKeyguardFlagsChanged();
++                mActivityRecord.deferStartingWindowRemovalForKeyguardUnoccluding();
++            }
+         }
+     }
+
+-- 
+2.34.1
+